IC card and microprocessor

ABSTRACT

Disclosed herein are an IC card and a microcomputer which have implemented the strengthening of security and the speeding up and enhancement of signal processing for the security. In an IC card, which is supplied with an operating voltage by an electrical connection between each of external terminals and a read/write device, and includes an input-output operation of data with an encoding process or a decoding process, a disturbance-aimed processing operation is included in the encoding process or decoding process to uniformalize timings provided to operate an internal circuit and its operating current. In a microcomputer having a module configuration including an input-output operation of data with an encoding process or a decoding process, a disturbance-aimed processing operation is included in the encoding process or decoding process to uniformalize timings provided to operate an internal circuit and its operating current.

BACKGROUND OF THE INVENTION

[0001] The present invention relates to an IC card and a microcomputer,and particularly to a technology effective for application to a securitytechnology used for ones like an IC card and a stored-program one-chipmicrocomputer, each of which includes a CPU and a memory and performsdata processing using an encoding key.

[0002] Japanese Patent Application Laid-Open No. Hei 10(1998)-69222discloses, as an example, a technology wherein in an IC card whicheffects an encoding process or a decoding process on data by using keyinformation stored in a memory, a delay process for losing a timecorrelation with the contents of the key information is executed duringor before or after the execution of the encoding process or decodingprocess to set up against an operation analytical method like a TA(Timing Attack) method of estimating the contents of execution and anencoding key by using the difference in processing time.

[0003] It has recently been suggested that there is a possibility thatthe contents of an encoding process and an encoding key will easily beestimated by observing and analyzing current consumption at the timethat an IC card is executing the encoding process. This has beendescribed in 8.5.1.1 Passive protective mechanism (pp 263) of “SmartCard Handbook”, by W. Rankl & W. Effing, John Wiley & sons Co., Ltd.

[0004] That is, an SPA (Simple Power Analysis) method analyzes anencoding key and processed data according to the difference betweenoperational or computational instructions or the difference betweenwaveforms of consumed currents developed due to the difference inprocessed data. A DPA (Differential Power Analysis) method statisticallyprocesses waveforms of currents consumed and thereby estimates anencoding key. In the DPA method, a supposed encoding key is applied to acertain portion of DES, for example, and while a plaintext is beingchanged, the waveforms of the consumed currents are measured andstatistics thereabout are collected. This work is repeated while theencoding key is being changed in various ways, and the current waveformexhibits a large peak in the case of a proper key.

[0005] As described in the Publication referred to above, the delayprocess, which has taken into consideration only the TA (Timing Attack)method, is not capable of losing even the correlation of currentconsumption based on an actual computation or operation. This is notcapable of setting up against the operation analytical method like sucha SPA or DPA method as to observe the waveform of each current consumed.To this end, the inventors of the present application have led to thedevelopment of a security technology capable of more reliably preventingdecoding of the contents of an encoding process and an encoding key,based on the observation of the current consumption as described abovewith respect to ones each of which performs a fixed or regular dataprocessing operation according to a stored-program as in the IC card andthe microcomputer mounted to a module like an IC card or the like.

SUMMARY OF THE INVENTION

[0006] An object of the present invention is to provide an IC card and amicrocomputer, which have implemented the strengthening of security.Another object of the present invention is to provide an IC card and amicrocomputer, which have implemented the speeding up of signalprocessing for security and its enhancement. The above, other objects,and novel features of the present invention will become apparent fromthe description of the present specification and the accompanyingdrawings.

[0007] A summary of a typical one of the inventions disclosed in thepresent application will be described in brief as follows: In an IC cardsupplied with an operating voltage by an electrical connection betweeneach of external terminals and a read/write device, and including aninput-output operation of data with an encoding process or a decodingprocess, a disturbance-aimed processing operation similar to an originalprocessing operation is included in the encoding process or decodingprocess to thereby uniformalize timings provided to operate an internalcircuit and its operating current.

[0008] A summary of another typical one of the inventions disclosed inthe present application will be described in brief as follows: In amicrocomputer having a module configuration including an input-outputoperation of data with an encoding process or a decoding process, adisturbance-aimed processing operation similar to an original processingoperation is included in the encoding process or decoding process tothereby uniformalize timings provided to operate an internal circuit andits operating current.

[0009] A summary of a further typical one of the inventions disclosed inthe present application will be described in brief as follows: In an ICcard supplied with an operating voltage by an electrical connectionbetween each of external terminals and a read/write device, andincluding an input-output operation of data with an encoding process ora decoding process based on an encoding processing computing unitoperated in response to instructions given from a central processingunit, the encoding processing computing unit is provided with each ofregisters, which stores data used for a computation for the encodingprocess or decoding process in plural bit units, and data necessaryprior to the encoding process or the decoding process is taken in such aregister.

[0010] A summary of a still further one of the inventions disclosed inthe present application will be explained in brief as follows: In amicrocomputer having a module configuration including an input-outputoperation of data with an encoding process or a decoding process basedon an encoding processing computing unit operated in response toinstructions given from a central processing unit, the encodingprocessing computing unit is provided with each of registers, whichstores data used for a computation for the encoding process or decodingprocess in plural bit units, and data necessary prior to the encodingprocess or the decoding process is brought to the register.

BRIEF DESCRIPTION OF THE DRAWINGS

[0011] While the specification concludes with claims particularlypointing out and distinctly claiming the subject matter which isregarded as the invention, it is believed that the invention, theobjects and features of the invention and further objects, features andadvantages thereof will be better understood from the followingdescription taken in connection with the accompanying drawings in which:

[0012]FIG. 1 is an external view showing one embodiment of an IC card towhich the present invention is applied;

[0013]FIG. 2 is a schematic block diagram illustrating one embodiment ofan IC card chip mounted on the IC card according to the presentinvention;

[0014] FIGS. 3(a) and 3(b) are timing charts for describing theoperation of one embodiment of a co-processor according to the presentinvention;

[0015]FIG. 4 is a flowchart for describing the operation of theco-processor shown in FIG. 3;

[0016]FIG. 5 is a block diagram showing one embodiment of theco-processor shown in FIG. 3;

[0017]FIG. 6 is a block diagram illustrating one embodiment forimplementing the operation of the co-processor shown in FIG. 3;

[0018]FIG. 7 is a block diagram depicting another embodiment of theco-processor shown in FIG. 3;

[0019]FIG. 8 is a block diagram showing another embodiment of theco-processor shown in FIG. 3;

[0020] FIGS. 9(a) and 9(b) are configuration diagrams for describing theoperation of another embodiment of a co-processor according to thepresent invention;

[0021]FIG. 10 is a block diagram showing one embodiment for implementingthe operation of the co-processor shown in FIG. 9;

[0022] FIGS. 11(a) and 11(b) are timing charts for describing theoperation of another embodiment of the co-processor according to thepresent invention;

[0023]FIG. 12 is a flowchart for describing the operation of anotherembodiment of the co-processor according to the present invention;

[0024] FIGS. 13(a) and 13(b) are timing charts for describing thedetails of the operation of another embodiment of the co-processoraccording to the present invention;

[0025]FIG. 14 is a block diagram showing one embodiment for implementingthe operation of the co-processor shown in FIGS. 11 through 13;

[0026] FIGS. 15(a) to 15(c) are timing charts for describing theoperation of a further embodiment of a co-processor according to thepresent invention;

[0027]FIG. 16 is a flowchart showing another embodiment of an arithmeticoperation of the co-processor according to the present invention;

[0028]FIG. 17 is a block diagram illustrating a still further embodimentof a co-processor according to the present invention;

[0029]FIG. 18 is a block diagram depicting a still further embodiment ofa co-processor according to the present invention;

[0030]FIG. 19 is a block diagram showing a still further embodiment of aco-processor according to the present invention;

[0031]FIG. 20 is a fragmentary block diagram showing another embodimentof an IC card chip according to the present invention;

[0032]FIG. 21 is a block diagram illustrating one embodiment of acounter shown in FIG. 20;

[0033]FIG. 22 is a timing chart showing one example of the operation ofthe IC card chip shown in FIG. 20;

[0034]FIG. 23 is a fragmentary block diagram depicting a furtherembodiment of an IC card chip according to the present invention;

[0035]FIG. 24 is a timing chart showing one example of the operation ofthe IC card chip shown in FIG. 23;

[0036]FIG. 25 is a flowchart for describing an arithmetic operation towhich the present invention is applicable;

[0037]FIG. 26 is a block diagram showing a still further embodiment of aco-processor employed in the present invention;

[0038]FIG. 27 is a conceptual diagram illustrating a method ofcalculating “R² modN” employed in the present invention;

[0039]FIG. 28 is a fragmentary block diagram depicting one embodiment ofan encoding processing computing unit according to the presentinvention;

[0040]FIG. 29 is a fragmentary block diagram illustrating anotherembodiment of an encoding processing computing unit according to thepresent invention; and

[0041]FIG. 30 is a fragmentary block diagram showing a furtherembodiment of an encoding processing computing unit according to thepresent invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0042] Preferred embodiments of the present invention will hereinafterbe described in detail with reference to the accompanying drawings.

[0043]FIG. 1 shows an external view of one embodiment of an IC card towhich the present invention is applied. The IC card has a card 101 madeup of a plastic case, and a chip for the IC card, which comprises anunillustrated one-chip microcomputer, etc. mounted inside the card 101.Further, the IC card has a plurality of contacts (electrodes) 102respectively connected to external terminals of the IC card chip. Theplurality of contacts 102 include a power supply terminal VCC, a powerreference potential terminal VSS, a reset input terminal {overscore(RES)}, a clock terminal CLK, and data terminals I/O-1/{overscore (IRQ)}and I/O-2/{overscore (IRQ)} such as described later with reference toFIG. 2. The IC card is supplied with power from an external couplingdevice like an unillustrated reader/writer through the contacts 102 andperforms data communications with the external coupling device.

[0044]FIG. 2 is a schematic block diagram of one embodiment of an ICcard chip (microcomputer) mounted on the IC card according to thepresent invention. Although not restricted in particular, respectivecircuit blocks shown in the same drawing are formed on a singlesemiconductor substrate like monocrystalline silicon by the known MOSintegrated circuit manufacturing technology.

[0045] The IC card chip according to the present invention is basicallyidentical in configuration to the microcomputer. The configurationthereof comprises a clock generating circuit 205, a central processingunit (hereinafter might be called simply “CPU”) 201, storage devicessuch as a ROM (Read Only Memory) 206, a RAM (Random Access Memory) 207,a non-volatile memory 208, etc., a co-processor 209 for performingcomputations or operations for encoding and decoding processing, aninput/output port (I/O port) 202, etc.

[0046] The clock generating circuit 205 is a circuit which receives anexternal clock CLK supplied from the unillustrated reader/writer(external coupling device) through the corresponding contact 102 shownin FIG. 1, produces or forms a system clock signal synchronized withsuch an external clock signal and supplies it to the inside of the chip.The CPU 201 is a device for performing a logical operation, anarithmetic operation, etc. and controls a system control logic, a randomnumber generator, a security logic and a timer, etc. The storage devices206, 207 and 208 are respectively devices for storing programs and datatherein. The co-processor 209 comprises a computing or arithmetic unitand a register for performing an exponential residue multiplyingoperation applicable to RSA cryptography or the like, and a controllogic as will be described later. The I/O (input/output) port 202 is adevice which communicates with the reader/writer. A data bus 204 and anaddress bus 203 are buses which connect the respective devices to oneanother.

[0047] Of the storage devices 206, 207 and 208, the ROM 206 is a memoryto which the stored contents is fixed on a nonvolatile basis. This is amemory which principally stores a program therein. The volatile memory(hereinafter called “RAM”) 207 is a memory capable of freely rewritingstored information. However, when the supply of power is discontinued,the stored contents is wiped out or evaporated. Since the supply of thepower is discontinued when the IC card is withdrawn from thereader/writer, the contents of the RAM 207 is not held.

[0048] The non-volatile memory (hereinafter called “EEPROM (ElectricalErasable Programmable Read Only Memory)”) 208 is a non-volatile memorycapable of rewriting the contents. Information temporarily storedtherein is held thereinside even if the supply of the power is stopped.The EEPROM 208 has the need for its rewriting or updating and is used tostore data to be held even if the IC card is drawn from thereader/writer. When the IC card is used as a prepaid card, for example,the prepaid units or the like are updated for each usage. Since theprepaid units or the like in this case are required to be stored andheld in the IC card even if it is withdrawn from the reader/writer, theyare held by the EEPROM 208.

[0049] The CPU 201 is configured in a manner similar to a so-calledmicroprocessor. That is, although its details are not illustrated, theCPU 201 includes thereinside, instruction registers, a micro instructionROM for decoding an instruction written into the instruction registerand forming various microinstructions or control signals, an arithmeticcircuit, general-purpose registers (RG6 or the like), input/outputcircuits such as a bus driver and a bus receiver, etc connected to aninternal bus BUS. The CPU 201 reads an instruction stored in the ROM 206or the like and performs an operation corresponding to the instruction.The CPU 201 performs capturing of external data inputted via the I/Oport 202, reading of each instruction and data like fixed data necessaryto execute the instruction from the ROM 206, and operation control orthe like of the writing of data into the RAM 207 or EEPROM 208 andreading of data therefrom.

[0050] The CPU 201 receives a system clock signal generated from theclock generating circuit 205 therein and is thereby operated accordingto operating timing and a cycle determined based on the system clocksignal. The CPU 201 has an internal principal part comprised of a CMOScircuit which comprises P channel type MOSFETs and N channel typeMOSFETs. Although not restricted in particular, the CPU 201 includes astatic operable CMOS static circuit like a CMOS static flip-flop, and aCMOS dynamic circuit which performs the precharge of an electricalcharge to a signal output node and the output of each signal to thesignal output node in synchronism with the system clock signal.

[0051] As to security functions of the IC card, the RSA encodingprocessing computing unit (co-processor) 209 for performing anexponential remainder or residue computing operation applicable to theRSA cryptography or the like, which is used upon the transmission andreception of data between the IC card and the external device, isincorporated into the chip as a high-security function according to theinvention of the present application in addition to a random numbergenerator for automatically generating random numbers inside the chip, atimer function for generating interrupts at random, etc. A dedicatedregister is built in the present co-processor 209.

[0052] It is essential that a security system for an IC card needs acommunication data encoding process. Even in the case of the presentembodiment, a RSA encoding is used as a public key encryption methodwhich is most frequently used at present. In such cryptography, anexponential residue multiplication X^(Y) modN is used for both encodingand decoding but can be disassembled into two forms of residuemultiplications A² modN and ABmodN according to the known calculationalgorithm. That is, values e_(i) of Y=e_(n) e_(n−1) . . . e₁ arerecognized or checked bit by bit in order from a high-order or uppere_(n) to the least significant e₁. When e_(i)=0, only A² modN iscomputed, and when e_(i)=1, A² modN and ABmodN are computed. Thus, themodes or forms of two types of current waveforms corresponding toe_(i)=0 and 1 would appear since a process for determining whether i=0after the computation of A² modN is carried out when e_(i)=0, and aprocess for determining whether i=0 after the computations of A² modNand ABmodN, are carried out when e_(i)=1.

[0053] When the co-processor 209 is used as in the present embodiment,its current consumption is relatively large in the whole currentconsumption in the IC card. Therefore, the observation of a currentwaveform at this portion makes it possible to relatively easily identifythe operating mode of the co-processor. There is also a possibility thatthe value of the encoding key Y will be decoded by the DPA method andSPA method. Thus, a disturbance-aimed computation is inserted in theco-processor 209 employed in the present embodiment upon computing theexponential residue multiplication X^(Y) modN used for both the encodingand decoding. That is, as shown in a timing chart of FIG. 3 and aflowchart of FIG. 4, both computations of A² modN and ABmodN are alwayscarried out even if e_(i)=0 or 1.

[0054] As shown in FIG. 3(a) in the timing chart of FIG. 3, A² modN isoriginally computed when e_(n)=1. According to a decision 1 of e_(n), atime t1 elapses and ABmodN is computed. After its computation oroperation, i is decremented by (n−1), and a time t2 is spend for thedetermination of i=0. Next, when the next bit e_(n−1)=0, A² modN iscomputed. A decision as to e_(n−1)=0 is made and i is decremented by(n−2). Thus, a time t3 is spent for the determination of i=0. When thenext bit e_(n−2)=1, A² modN is computed. According to a decision 1 ofe_(n−2), the time t1 elapses and ABmodN is computed. After itscomputation, i is decremented by (n−3), and the time t2 is spend for thedetermination of i=0. Similarly, operations similar to above aresubsequently repeated up to e₁.

[0055] In the co-processor 209 employed in the present embodiment,ABmodN is computed after the computation of A² modN regardless of either0 or 1 of each individual bits e_(i) of the encoding key Y. As whene_(n−1)=0 in FIG. 3(b), the computation of ABmodN at the time that e_(i)is a logical 0, is inserted as a disturbance-aimed operation. That is,the computing operations can be established as uniformalized operatingtimings and currents at which as shown in the timing chart of FIG. 3(b)and the flowchart of FIG. 4, a time t1 including, for example, adecision time for making a decision as to e_(i) is spent during thecomputing operations of A² modN and ABmodN, and a decrement operation ofi and a time t2 required to make a decision as to i=0 are spent duringthe computing operations of ABmodN and A² modN corresponding to the nextbit. Since, however, the process for the decision of e_(i) is omittedfrom the flowchart of FIG. 4 in the present embodiment because theresult thereof is not defined as a computing-operation branch condition.

[0056]FIG. 5 is a block diagram of one embodiment of the co-processor.The present embodiment principally comprises an arithmetic unit, acontrol logic, and a dedicated register block. The final result of anexponential residue computation is transmitted to a central processingunit CPU through a data buffer and a data bus. The dedicated registerperforms a selecting operation in response to an address signal suppliedfrom an address bus.

[0057] In the present embodiment, a gate circuit 1 is provided betweenan internal bus MDB and a read/write buffer (R/W Buffer) of the registerblock. The gate circuit 1 is controlled by the control logic so as toclose its opened gate after the result of computation of A² modN hasbeen taken in a predetermined register CDA through the internal bus MDBand the read/write buffer if e_(i) is a logical 0. That is, when theabove result of computation is captured by the read/write buffer, thegate is subsequently closed so as to inhibit the writing of new datainto the read/write buffer. Thus, the result of computation of ABmodN tobe carried out subsequently is handled as invalid data. If e_(i) isgiven as a logical 1, then the gate circuit 1 remains kept in itsgate-open state.

[0058]FIG. 6 is a block diagram of another embodiment of theco-processor. In the present embodiment, a gate circuit 2 is providedbetween a read/write buffer (R/W Buffer) of a register block andrespective registers. The gate circuit 2 is controlled by a controllogic in a manner similar to above so as to close its open gate afterthe result of computation of A² modN has been taken in a predeterminedregister CDA through an internal bus MDB and the read/write buffer ife_(i) is given as a logical 0. That is, when the above result ofcomputation is captured by the register CDA, the gate is subsequentlyclosed so as to inhibit the writing of new data into the register CDA.Thus, the result of computation of ABmodN to be carried out subsequentlyis written into the read/write buffer up thereto but actually handled asinvalid data. If e_(i) is given as a logical 1, then the gate circuit 2remains kept in its gate-open state.

[0059]FIG. 7 is an internal configuration diagram of one embodiment ofthe gate circuit. A disturbance operation write control unit comprisesan AND gate circuit which has one input supplied with a write enablesignal delivered from a control logic and the other input supplied witha write strobe signal generated by an arithmetic unit. A signaloutputted from the gate circuit is transmitted to a data buffer (R/WBuffer) and a dedicated register as a write strobe signal.

[0060] The present embodiment aims to select timing provided to generatea write strobe signal for providing instructions for the operation ofwriting of data into the register or data buffer as an alternative tothe control on the transmission of the result of computation itself.That is, when e_(i)=0, the write enable signal is brought to a low levelafter the result of computation of A² modN is outputted, whereby thegate of the AND gate circuit is closed. When e₁=1 in reverse, thecontrol logic keeps the write enable signal as a high level as it is,and the write enable strobe signal produced from the arithmetic unit istransmitted to the data buffer or the dedicated register as it is. Sinceit is not necessary to provide a plurality of gate circuits inassociation with the result of computation A comprised of plural bits insuch a configuration, the present embodiment can be simplified.

[0061]FIG. 8 is a block diagram of a further embodiment of theco-processor. In the present embodiment, a selector 2 is providedbetween a read/write buffer (R/W Buffer) of a register block andrespective registers, and a disturbance register 1 is provided in theregister block. The selector 2 is controlled by a control logic in amanner similar to the above and forms such a signal path that the resultof computation of A² modN is written into a predetermined register CDAthrough an internal bus MDB and a read/write buffer if e_(i) is given asa logical 0, followed by formation of such a signal path as to selectthe disturbance register 1.

[0062] That is, when the result of computation is taken in the registerCDA, the selector 2 selects the disturbance register 1 subsequently.Therefore, the writing of new data into the register CDA is prohibitedand the result of computation of ABmodN to be carried out subsequentlyis written into the disturbance register. If e_(i) is given as a logical1, then the selector 2 always selects the register CDA. Since thecomputational results can be made precisely identical as viewed fromcurrent waveforms when e_(i) is given as the logical 0 and 1 inclusiveof the operation of writing the results into the registers in thepresent configuration, it is possible to make it difficult to performdecoding using the current waveforms.

[0063]FIG. 9 is a configuration diagram for describing the operation ofthe further embodiment of the co-processor according to the presentinvention. In a timing chart shown in FIG. 9(a) and a flowchart shown inFIG. 9(b), A² modN is continuously carried out as a disturbancecomputing operation even during a time t1 required to make a decision asto e_(i) after the computation of A² modN ad described above, followedby transition to the computation of ABmodN.

[0064] After its computation, i is decremented by (−1) and a time t2 isspent for the determination of i=0. However, even during that time, theabove computation of ABmodN is continuously carried out. Similarly,operations similar to the above are subsequently repeated till e₁. Sincethe above computing operation continues regardless of when e_(i) isgiven as the logical 0 and 1 during the computing operation, aparticular feature cannot be found out as viewed from the standpoint ofeach current waveform in the case of such a configuration, it ispossible to make it difficult to perform decoding using the currentwaveform.

[0065]FIG. 10 is a block diagram of one embodiment for implementing theoperation of the co-processor shown in FIG. 9. A control logic transmitsa disturbance enable signal and a co-processor enable signal. Thedisturbance enable signal and the co-processor enable signal areinputted to an arithmetic unit through an OR gate circuit. Therefore,even when the disturbance enable signal is active in addition to thetime when the co-processor enable signal is active, the arithmetic unitis activated so as to perform a computing operation.

[0066] The disturbance enable signal is supplied to one input of an ANDgate circuit through an inverter circuit, whereas a write strobe signalproduced from the arithmetic unit is supplied to the other input of theAND gate circuit. That is, the transmission of the write strobe signalformed by the arithmetic unit can selectively be stopped according tothe disturbance enable signal. When the co-processor enable signal ismade active and the above normal computing operation is completed, awrite strobe signal for outputting the result of its computation isformed. Thus, when the co-processor enable signal is active, an invertedsignal of the disturbance enable signal is brought to an active leveland controls so as to open the gate of the AND gate circuit. Therefore,the normal result of computation is written into a R/W buffer or apredetermined register of a register block, based on the write strobesignal.

[0067] When the normal computing operation is finished, the disturbanceenable signal is made active and gives instructions for the computingoperation to the arithmetic unit. While the write strobe signal isformed according to the completion of this computation, the gate of theAND gate circuit remains closed by the inverted signal of thedisturbance enable signal. Therefore, the write strobe signal producedby the disturbance-aimed computing operation is not transmitted to theR/W buffer or the predetermined register of the register block. Thus,the result of the disturbance-aimed computation is wiped out or erasedas invalid data.

[0068]FIG. 11 is a timing chart for describing the operation of thefurther embodiment of the co-processor according to the presentinvention. Even when the disturbance-aimed computation is inserted as inthe embodiment shown in FIG. 3, and e_(i) is uniformalized and A² modNand ABmodN are computed as one pair as shown in the timing chart of FIG.11(a), ones (presence) of computational results, each of which needs anoverflow process, and ones (absence) thereof each of which needs nooverflow process, are produced in each individual computations.

[0069] Since such an overflow process makes a computing time longer,either the presence or absence of the overflow process can be identifiedas viewed from the standpoint of each current waveform. Since theestimation of the contents of computation and computed data is alsoconsidered to be not impossible from the characteristic of each currentwaveform, overflow processes are inserted in the same manner as whennecessary even with respect to the computations which need no overflowprocess as shown in the timing chart of FIG. 11(b) in the presentembodiment. That is, this aims to apparently neutralize or invalidatethe identification of the overflow process in order to uniformly executethe operation for each overflow process upon all the computations of A²modN and ABmodN.

[0070]FIG. 12 is a flowchart for describing the operation of the furtherembodiment of the co-processor according to the present invention. Thepresent flowchart corresponds to FIG. 11(b). Each of the computations ofA² modN and ABmodN comprises a remainder or residue arithmetic part andan overflow arithmetic part, which execute the overflow computingprocess regardless of the result of computation.

[0071]FIG. 13 is a timing chart for describing the details of theoperation of the further embodiment of the co-processor according to thepresent invention. Before countermeasures taken in the presentembodiment, the two types corresponding to the computational resultsubjected to the overflow process and one free of the overflow processexist in association with the results of the co-processor computationsof A² modN and ABmodN upon the co-processor computations. Aftercountermeasures taken in the present embodiment, however, the overflowprocesses are always executed regardless of the results of co-processorcomputations of A² modN and ABmodN upon the co-processor computations.Therefore, the overflow process effected on the computing operationwhich eliminates the need for the overflow process is originally definedas a disturbance-aimed operation.

[0072]FIG. 14 is a block diagram of one embodiment for implementing theoperation of the co-processor shown in FIGS. 11 through 13. A controllogic transmits a disturbance overflow signal and a co-processoroverflow signal. The disturbance overflow signal and the co-processoroverflow signal are inputted to an arithmetic unit through an OR gatecircuit. Therefore, even when the disturbance overflow signal is activein addition to the time when the co-processor overflow signal is active,the arithmetic unit is activated so as to perform an overflow processingoperation.

[0073] The co-processor overflow signal is supplied to one input of anAND gate circuit, whereas a write strobe signal produced from thearithmetic unit is supplied to the other input of the AND gate circuit.That is, the transmission of the write strobe signal formed by thearithmetic unit can selectively be stopped when the co-processoroverflow signal is not at an active level. That is, when theco-processor overflow signal is not at the active level, the arithmeticunit performs an overflow process according to the disturbance overflowsignal. Therefore, the write strobe signal formed by such an overflowprocess is made invalid by closing the gate of the gate circuit. Thus,when the normal overflow process is finished, a write strobe signal foroutputting the result of its process is formed and the result of theprocess is written into a R/W buffer or a predetermined register of aregister block.

[0074] On the other hand, when the disturbance overflow signal is madeactive and thereby gives instructions for an overflow processingoperation to the arithmetic unit, a write strobe signal produced by theoverflow process serves so as to close the gate of the AND gate circuitaccording to the co-processor overflow signal. Therefore, the writestrobe signal produced by the disturbance-aimed overflow processingoperation is not transmitted to the R/W buffer or the predeterminedregister of the register block. Thus, the result of thedisturbance-aimed overflow process is wiped out or erased as invaliddata.

[0075]FIG. 15 is a timing chart for describing the operation of a stillfurther embodiment of a co-processor according to the present invention.As shown in FIG. 15(a), A² modN is originally computed when e_(n)=1.According to a decision 1 of e_(n), a time t1 elapses and ABmodN iscomputed. After its computation, i is decremented by (n−1), and a timet2 is spend for the determination of i=0. Next, when the next bite_(n−1)=0, A² modN is computed. A decision as to e_(n−1)=0 is made and iis decremented by (n−2). Upon such a computing operation that a time t3is spent for the determination of i=0, disturbance-aimed cycles areinserted into the times t1, t2 and t3 every computations referred toabove.

[0076] In the timing chart shown in FIG. 15(b), the disturbance-aimedcycles are inserted so that the times set every computations are alignedwith the longest time t3. Thus, since either computation A² modN orABmodN is executed with the time t3 as an interval, each currentwaveform corresponding to a computing operation is apparentlyuniformalized and its identification is invalidated. In the timing chartshown in FIG. 15(c) on the other hand, disturbance-aimed cycles in whichthe time changes at random, are inserted into the intervals set everycomputations referred to above contrary to FIG. 15(b). Eithercomputation A² modN or ABmodN is executed at random on a time basis.Therefore, as viewed from each current waveform, it is brought to acurrent value which is regardless of each computing operation and isirregular. In other words, since the arithmetic unit hasnon-reproducibility as viewed from a statistical point of view so as tovary each time even when the arithmetic unit is placed in the same stateand under the same operation, its identification can be renderedinvalid.

[0077] The disturbance-aimed cycles serve so as to change computingintervals through the use of the timer as shown in FIG. 2.Alternatively, a timer is provided outside the co-processor to await forthe execution of the next computation until a predetermined timeelapses. That is, the disturbance-aimed cycles are inserted into thetimes t1, t2 and t3 set every said computations shown in FIG. 15(a) uponthe computation of the exponential residue multiplication by theco-processor, and an interrupt from the timer is made after the elapseof a predetermined time. Thus, the times t1, t2 and t3 are all keptconstant as shown in FIG. 15(b), whereby the decoding from each currentwaveform is made difficult. Alternatively, random numbers generated by arandom number generator are set to the timer, and the times t1, t2 andt3 may be changed at random every time as shown in FIG. 15(c). The timesmay be counted by software without using the timer.

[0078] Let's assume that the value of Y is processed by two bits orthree bits with the objective of speeding up computations made by theco-processor upon exponential residue multiplication. An example of thetwo-bit processing will be explained as shown in a flowchart of FIG. 16,for example. Since, in this case, respective steps of A² modN, A² modN,ABmodN, i−2 and i=0? are always repeated, a processing time and acurrent waveform become constant even though such a disturbance-aimedcomputation as done bit by bit is not executed. It is thereforedifficult to estimate the value of Y from each current waveform. Sincethe number of times that computations are executed, may also be 1.5 ntimes at all times in the case of the two-bit processing although 2ntimes are taken at maximum in the case of the binary number system, thisleads even to the shortening of an operating time.

[0079] Values of A, B and N are respectively transmitted and stored inregisters dedicated for the co-processor until the computation of theco-processor is started. However, when the two-bit processing is done,four types of B values, B₁, B₂, B₃ and B₄ are required according to thevalue of Y. These values are calculated in advance and stored in a RAM,EEPROM or the like. They are transferred to the co-processor-dedicatedregisters. At this time, however, there is a possibility that acharacteristic will appear in each in-transmission current waveformaccording to the values of the four types of B.

[0080] Let's now consider where data is transferred to a 16-bitprecharge bus, for example. The precharge bus is a bus for aligning thevalues of all buses with “1” before data transmission. When datadifferent in value but identical in the number of bits of “1”, e.g.,“88” and “11” are transferred to the bus in the form of a hexadecimaldigit in which the number of bits of “1” is 2, each individual currentwaveforms are expected to be substantially identical to each other. Thisis because since the number of bits, which changed from “1” to “0”, isthe same, currents are consumed in the same manner and become identicalin waveform to one another.

[0081] If data in which the number of bits of “1” is different by 1,e.g., “89” and “19” in which the number of bits of “1” is 3, aretransferred, then the data is different in current consumption from datain which the number of bits of “1” is 2. This is because since the valueof the bus changes from “1” to “0” by 13 bits, a current is consumedcorrespondingly. Therefore, the current consumption is reduced by onebit as compared with data in which the previous 14 bits change. There isgenerally regularity that the greater the changed number of bits, thehigher each current waveform. The current waveform is apt to be intendedfor a current analysis in which transferred data is considered to beable to be estimated from the regularity. The following contrivances arecarried out to avoid it.

[0082]FIGS. 17 and 18 are respectively block diagrams of still furtherembodiments of co-processors according to the present invention. Theco-processors according to the present embodiments are respectivelyintended for two-bit processing and three-bit processing. That is, theco-increase porcessors increase in register capacity, and four types ofB values, B₁ through B₄ are respectively stored in their correspondingregisters of the co-processor in the case of the two-bit processing,whereas eight types of B values, B₁ through B₈ are respectively storedin their corresponding registers of the co-processor in the case of thethree-bit processing. Thus, the above transfer from a storage circuit(RAM) to the registers of the co-through porcessor through a data bus inthe course of a computation becomes unnecessary, and a protectionagainst the current analysis can be achieved.

Control Register (CCNT)

[0083] bit 7 bit 6 bit 2 bit 1 bit 0 — — . . . e_(i) e_(i−1)

Type of Computation

[0084] bit 2 e_(i) e_(i−1) type of computation 0 0 0 A ← A² modN 0 1 0 A← A modN 0 1 1 A ← A X N 1 0 0 A ← AB₁ modN 1 0 1 A ← AB₂ modN 1 1 0 A ←AB₃ modN 1 1 1 A ← AB₄ modN

[0085] That is, when the co-processor executes ABmodN in the flowchartshown in FIG. 16, the values of two bits (or three bits) of Y areapplied to the bits of the control register (CCNT) of the co-processorin such a manner that it can select and execute the corresponding valuefrom the proper B register CDB of the four (or eight in the case of thethree-bit processing) as described below. In the case of the two-bitprocessing as in the control register and the type of computationreferred to above, the co-processor is caused to select whichcomputation of AB₁ modN, AB₂ modN, AB₃ modN and AB₄ modN should beexecuted.

[0086]FIG. 19 is a block diagram of a still further embodiment of aco-processor according to the present invention. The co-processoraccording to the present embodiment is aimed at plural-bit processingsuch as two-bit processing, three-bit processing. In the presentembodiment, a data bus is provided with switches, which allow datatransmission while a computation is being carried out. Such aconfiguration is effective at performing both the shortening of anexecution time and a countermeasure taken against a current analysiswithout an increase in the register capacity of the co-processor.

[0087] As registers (CDA, CDB, CDN and CDW) dedicated for theco-processor, four registers are exclusively used between a CPU and anarithmetic unit of the co-processor as shown in the same drawing.Efficiency is brought to the execution of the two-bit processing ifwhile A² modN is being carried out twice, the value of B can betransferred from a RAM to the B register CDB in the register unitdedicated for the co-processor during that time.

[0088] I/Os of the A register CDA and the B register CDB of theco-processor are separated from each other. They are provided withread/write buffers (R/W Buffers) and configured so as to be able tooperate independently. While the arithmetic unit is computing A² modN,the data bus is connected to a path 1 (path1) based on a control signalto thereby transfer the value of B from the RAM of the unillustrated CPUto the B register CDB through the separately-provided read/write buffer.Next, when the arithmetic unit executes ABmodN, a path 2 (path2) isselected based on a control signal to thereby send the B value of the Bregister to the arithmetic unit and unallow the unillustrated CPU toaccess the B register CDB. The present method is effective forcountermeasures against the current analysis since a computing time isshortened because the operation of computing A² modN and the operationof transferring the B value are simultaneously carried out, and besidesboth the waveforms of currents consumed for the computation and transfercannot be identified because they overlap one another.

[0089]FIG. 20 is a fragmentary block diagram of another embodiment of achip for an IC card according to the present invention. In the presentembodiment, a memory is provided with a counter upon transfer of databetween an encoding processing computing unit and a memory (RAM). Thepresent embodiment aims to perform current disturbance when four typesof values used for two-bit processing or eight types of values used forthree-bit processing are transferred from the memory RAM providedoutside a co-processor to a B register CDB in a register unit dedicatedfor the co-processor.

[0090] In the present embodiment, such an IC card chip as shown in FIG.2 is provided with a counter on the RAM side. The RAM decodes addresssignals produced by the counter and transmits data to a data bus. Atthis time, a pseudo address produced by a random number generator istransmitted to an address bus. Thus, the correlation between theaddresses and data is not established and hence a current analysis isrendered difficult.

[0091]FIG. 21 is a block diagram of one embodiment of the counter. Thecounter uses a head or leading address register for holding the first orinitial address for a block to be transferred, and an incrementer, andis controlled according to an enable signal for enabling blocktransmission and an increment instruction signal based on a clock or aread/write signal or the like. When the block transmission is started,the leading address for its transfer and an enable signal for thecommencement of its transfer are transferred to the counter by a CPU andheld in the leading address register. Thereafter, the incrementer isactivated in response to the increment instruction signal to form aleading address A+1 of the leading address register. Further, addressesare generated and the contents of the leading address register isrewritten. Therefore, RAM addresses are respectively incremented to A,A+1, A+2, . . . in turn as shown in a timing chart of FIG. 22. Accordingto the addresses, data DA, D_(A+1), D_(A+2), . . . are successivelywritten/read.

[0092] Since the counter does not accept each address from the addressbus after the block transmission is enabled in the present embodiment,the data are properly read out in order even if any value is given tothe address bus. Thus, when random numbers B, C, D, E, . . . produced bya random number generator or the like are outputted to the address bus,a current used up by the address bus can be disturbed and a currentconsumed by the whole chip can be disturbed owing to this effect. It istherefore possible to make it difficult to analyze a chip internaloperation.

[0093]FIG. 23 is a fragmentary block diagram showing a furtherembodiment of a chip for an IC card according to the present invention.Even in the case of the present embodiment, a memory is provided with acounter upon transfer of data between an encoding processing computingunit and a memory (RAM). However, an address offset function is providedso as to disturb even the initial addresses for such an encodingprocessing computing unit and memory RAM. That is, each of randomnumbers produced by a random number generator or the like issimultaneously transferred to a CPU and the counter in advance. Further,a value obtained by adding the random number to the initial address forblock transmission or subtracting it therefrom is outputted to anaddress bus. On the counter side, the value of the address bus isdecoded using the same random number to obtain the initial address.

[0094]FIG. 24 is a timing chart for describing the transfer operation.Random numbers produced by the random number generator are transferredto the CPU and RAM in advance. An offset arithmetic unit 1 transmits anaddress A+S obtained by adding a random number S to the initial addressA for block transmission or subtracting it therefrom to the address bus.On the counter side, the value of the address bus is decoded using thesame random number S to obtain the initial address A from an offsetarithmetic unit 2. Subsequently, the address A is incremented to produceaddresses A+1, A+2, . . . in the same manner as described above. Sincethe random number generator sends random numbers B, C, D, . . . to theaddress bus in synchronism with such addresses A+1 and A+2, a currentused up by the address bus can be disturbed inclusive of the leadingaddress, and hence the analysis of a chip internal operation can berendered more difficult.

[0095] When the exponential residue computation “X^(Y) modN” (where X, Yand N: positive integers) is used in the encoding/decoding device suchas described in the aforementioned embodiment, very large numbersnormally ranging from about 100 bits to about 2000 bits are used as X, Yand N. Therefore, how to execute “X^(Y) modN” at high speed becomesimportant. As one solving method therefor, the following algorithm forexecuting residue multiplication “ABR⁻¹modN” is known. The one ofapplicants of the present application has proposed a microcomputerdisclosed in Japanese Patent Application Laid-Open No. Hei10(1998)-21057 (U.S. Registration Number 5,961,578), wherein asum-of-product arithmetic unit based on the algorithm of “ABR⁻¹modN” isused.

[0096] The above-described algorithm comprises the following steps (1)through (12).

[0097] (1) input X, Y=e_(n) e_(n−1) . . . e₁, N, R

[0098] (2) B=R² modN

[0099] (3) A=X

[0100] (4) A=ABR⁻¹modN+kN

[0101] (5) B=A

[0102] (6) for i=n−1 or 1 step-1 {

[0103] (7) A=A² R⁻¹modN+kN

[0104] (8) if e_(i)=1 then A =ABR⁻¹modN+kN

[0105] (9) }

[0106] (10) A=AR⁻¹mdoN+kN

[0107] (11) A=AmodN

[0108] (12) output A

[0109] In the other embodiment of the present invention, theco-processor 209 shown in FIG. 2 executes “residue multiplication”described “A=ABR⁻¹modN+kN”, etc. in the steps (4), (7), (8) and (10) ofthe algorithm 5. This type of co-processor 209 includes an arithmeticcircuit and a control circuit, which will be described later. The inputvalues A, B, R and N of the residue multiplication and the output valueA are held in a dedicated register or a storage device such as a RAM.

[0110]FIG. 26 is a block diagram of a still further embodiment of aco-processor used in the present invention. In the same drawing,reference numeral 33 indicates a first sum-of-product arithmetic unit,reference numeral 34 indicates a second sum-of-product arithmetic unit,reference numeral 35 indicates a temporary register for holding atemporarily stored value Temp, reference numeral 36 indicates a registerused to store a value A therein, reference numeral 37 indicates aregister used to store a value B therein, and reference numeral 38indicates a register used to store a value N therein, respectively.Reference numeral 39 indicates a M_(i) generating logic, referencenumeral 40 indicates a latch for holding a value M_(i) generated by theM_(i) generating logic 39, and reference numeral 41 indicates a shiftcircuit or shifter for performing “÷2^(L)”, respectively.

[0111] In the present embodiment, a computation “(AB_(i)+M_(i)N)/2^(L)”is executed based on such block division as described in detail in theabove publication. First of all, the first sum-of-product arithmeticunit 33 executes a sum-of-product computation “Temp+A·B_(i)” with avalue Temp of the register 35, a value A of the register 36 and a valueB_(i) of the register 37 as inputs. The result of its computation issent to the second sum-of-product arithmetic unit 34 corresponding tothe next stage as a value Temp2. The value Temp2 is an integer having ann+L bit length.

[0112] On the other hand, the M_(i) generating logic 39 generates aninteger M_(i) of an L bit with numbers A₀, B_(i) and N₀ each having an Lbit length as inputs. The integer M_(i) is temporarily held in theregister 40. The second sum-of-product arithmetic unit 34 executes asum-of-product computation “Temp2+M_(i)·N” with the Temp2, N and M_(i)as inputs. Low-order L bits in the computational result having an n+Lbit length are all 0 and erased by the shifter 41 (i.e., divided by2^(L)). Further, the result of an n bit length is sent to and held inthe register 35 as a value Temp.

[0113] If the above operation is repeatedly executed n/L times, then acomputation “(AB+MN)/R” can be implemented. According to it, it isunnecessary to calculate and hold an integer M of an n bit in advance.Only Mi having an L bit length is determined while the calculation ofthe sum-of-product arithmetic unit 33 is being executed, and it may beheld in the register 40. The time required to calculate a value M can bedeleted and the scale of storing means for holding the value M thereincan be reduced. Further, the sum-of-product arithmetic unit 33 and thesum-of-product arithmetic unit 34 are connected in series to provide acontinuous operation, whereby the need for the specific provision ofstoring means for temporarily holding an intermediate result Temp2having an n+L bit length is eliminated.

[0114] The registers 35 through 38 are respectively connected to thesum-of-product arithmetic units 33 and 34 through a bus 43. Accordingly,a RAM 42 can constitute the registers 35 through 38. It is thus possibleto reduce a register area on a semiconductor chip. Since the amount ofdata transferred through the data bus 43 increases in particular in sucha configuration, the width of the data bus increases and the need foravoiding an increase in the area of the semiconductor chip occurs.However, the series connection of the sum-of-product arithmetic unit 33and the sum-of-product arithmetic unit 34 as in the embodiment shown inFIG. 26 eliminates for the need for the transfer of the intermediateresult Temp2 through the use of the data bus, whereby the amount of datatransmitted through the bus can be reduced.

[0115] Owing to the non-execution of the operations of Temp=0 by thefirst sum-of-product arithmetic unit 33, M_(i)·N=0 by the secondsum-of-product arithmetic unit 34 and “÷2^(L)” by the selector 41 in theco-processor according to the present embodiment, the computing meansshown in the same drawing can be used as a circuit for executing amultiple-length multiplication (corresponding to a multiplication of asmall number B_(i) and a large number A equivalent to its multiplelength) like “A·B_(i)”. The multiple-length multiplying computation like“A·B_(i)” is applied when the computation “R² modN” of the step (2) inthe above algorithm is executed using the microprocessor 201. Thus, sucha computation can be speeded up.

[0116] As shown in a conceptual diagram of the calculation of “R² modN”in FIG. 27, R=2^(n) and n=512. Further, N is set to 512 bits and R² isset so that only the most significant bit is 1 and all of 1024 bits onthe low-order side become a value of 0. When the computation “R² modN”is executed by a microprocessor, the direct division of a large numberR² by a large number N in the same manner is inefficient. Therefore,each dividend is grasped or recognized as a block represented in a64-bit unit as viewed from the most significant or top side. Further,each divisor is grasped as a block represented in a 32-bit unit asviewed from the most significant side. Blocks on the rightmost orhigh-order side are successively subjected to division as objects, andeach of the resultant values is grasped as a rough number of a quotient.

[0117] In the same drawing, for example, Q (=Da÷Na) is grasped as arough number of a quotient. Described schematically, “Q·Na” issubtracted from the upper-order side of R², and “Q·Nb” is subtractedfrom the upper-order side of the result of its subtraction. The resultof “R² modN” can be obtained by a method of effecting a process similarto above on the result of subtraction of “Q·Nb” and repeating thesimilar process with respect to the result of its process.

[0118] Actually, a subtracting process for erasing surplus bits isinterposed in the course of the above procedure. At this time, theprocess for the computation “Q·Nb” is regarded as a multiplying processof large numbers like 32 bits and 480 bits in the first time. However,the multiplying process of such large numbers is repeated any number oftimes. If, at this time, the multiple-length multiplying computationlike “A·B_(i)” computable by the co-processor shown in FIG. 26 is used,in other words, the co-processor is burdened with such a multiple-lengthmultiplying computation, then the process of computing “R² modN” can bespeeded up when the computation “R² modN” of step 2 in the algorithm 5is executed by using the microprocessor 201.

[0119] As described in detail in the Publication (Japanese PatentApplication Laid-Open No. Hei 10(1998)-21057), the computing process of“A=ABR⁻¹modN” in the above algorithm is one for subtracting N from thecomputational result W, i.e., performing a subtraction of W−N in thepresence of an overflow upon a residue multiplication. Therefore, adifference occurs between a computing time and current consumptionaccording to the presence or absence of the overflow. Therefore, thereis a possibility that one will observe a current consumed by theabove-described IC card LSI and analyze an in-chip operation from itstiming and the result of statistical processing.

[0120]FIG. 28 is a fragmentary block diagram of one embodiment of anencoding processing computing unit according to the present invention.The encoding processing computing unit according to the presentembodiment is included in a co-processor included in the one-chipmicrocomputer mounted to the IC card or the like described above.

[0121] Referring to FIG. 28, the A²R⁻¹modN or ABR⁻¹modN are computed bya sum-of-product arithmetic unit or device including the first andsecond arithmetic units 33 and 34 shown in FIG. 26. The result of itscomputation W is stored in a temporary register Temp. When an overflowis developed in the result of computation, an overflow flag OV deliveredfrom the arithmetic unit is stored in an OV storage register of acontrol logic. Subsequently, the subtraction of the computational resultW−N stored in the temporary register Temp is done after the residuemultiplication.

[0122] When the overflow flag OV exists (logical 1), the result of thesubtraction W−N is stored in the temporary register Temp. When nooverflow flag OV exists (logical 0), the result of the subtraction W−Nis not stored in the temporary register Temp but is stored in a suitablestorage circuit other than the temporary register Temp, e.g., a registerA. That is, the operation of storing the subtraction W−N and invaliddata formed according to it in the suitable storage circuit is definedas the disturbance-aimed operation. Thus, even when no overflow occursin the residue multiplication, an operating current flowing in an ICcard in association with the storage of the subtraction of W−N and theresult of its computation in the register is always developed, wherebythe external identification of the presence or absence of the overflowcan be rendered difficult.

[0123] The above-described signal processing is executed according tothe following program.

[0124] W←(AB+MN)/R

[0125] Store OV bit

[0126] if OV then

[0127] W←W−N (normal overflow processing and writing into W)

[0128] Else

[0129] A←W−N (overflow processing for disturbance and writing into A)

[0130] Exchange W and A

[0131] Output A

[0132] In the program referred to above, W indicates a temporaryregister and its data. When no overflow flag OV exists, each address ofthe temporary register Temp is replaced by its corresponding address ofthe register A, whereby data of W or A is outputted as valid data inassociation with the presence/absence of the overflow flag OV. In thepresent embodiment, the address exchange like Exchange W and A iscarried out to thereby output data in the temporary register (W)according to addressing of the register A.

[0133] The above-described signal processing can be replaced by thefollowing program.

[0134] W←(AB+MN)/R

[0135] Store OV bit

[0136] A←W−N (overflow processing and writing into A)

[0137] f! OV then

[0138] Exchange W and A

[0139] Else nop

[0140] Output A

[0141] That is, if no overflow flag OV exists after a subtraction W−Nfor performing the overflow processing with respect to the presence orabsence of the overflow flag OV without condition, and the result of itssubtraction are written into the register A, then the address exchangelike Exchange W and A is done to thereby output the data of thetemporary register (W) according to the addressing of the register A. Ifnot, then the data W−N of the register A is outputted as valid datawithout the address exchange.

[0142] The above-described signal processing can further be replaced bythe following program.

[0143] W←(AB+NM)/R

[0144] Store OV bit

[0145] Exchange W and A

[0146] W←A−N (overflow processing and writing into A)

[0147] if OV then

[0148] Exchange W and A

[0149] Else nop

[0150] Output A

[0151] That is, the address exchange like Exchange W and A is carriedout before the execution of a subtraction W−A for performing theoverflow processing with respect to the presence or absence of theoverflow flag OV to perform a subtraction of A−N, i.e., a subtraction ofW−N, thereby allowing the temporary register (W), i.e., register A tooutput data. If the overflow flag OV exists, then the address exchangelike Exchange W and A is carried out again to output the data of theregister A according to the addressing of the register A. If no overflowflag OV exists, then the data of the temporary register (W) is outputtedaccording to the addressing of the register A while the address exchangeis kept intact as described above. In this configuration, a logiccircuit for performing the writing of data into the register apparentlytakes such a configuration as to write data into the temporary register(W). Thus, logic for writing the data into the register A becomesunnecessary, thereby allowing circuit simplification.

[0152] The exchange of each address between the temporary register Tempand the register A can be implemented by a flag inverting circuit. Thatis, for example, one bits like the least significant bits, of addresssignals supplied from the address bus are set so as to differ from eachother between the temporary register Temp and the register A, and suchbits are simply selectively exchanged by the flag inverting circuit.Thus, the register A can be selected according to the designation of anaddress assigned to the temporary register Temp. The temporary registerTemp can be selected according to an address assigned to the register Ain reverse.

[0153] In the embodiment shown in FIG. 28, the two registers Temp and Aare used and the valid data is always stored in one (e.g., temporaryregister Temp) thereof in association with the overflow flag OV. Theabove address exchange is done to thereby allow the one thereof tooutput valid data according to an address for specifying the register A.The operation of storing the subtraction W−N and invalid data formedaccording to it in a suitable storage circuit is defined as adisturbance-aimed operation. Thus, even when no overflow occurs in theresidue multiplication, an operating current flowing in an IC card inassociation with the storage of the subtraction of W−N and the result ofits computation in the register is always developed, whereby theexternal identification of the presence or absence of the overflow canbe rendered difficult.

[0154] A borrow (Borrow) flag BR may be used in place of the overflowflag employed in the sum-of-product arithmetic unit as in theembodiment. That is, the result W of computation of A²R⁻¹modN orABR⁻¹modN is stored in the temporary register Temp, which stores aborrow flag BR sent from the arithmetic unit at the execution of thesubtraction of W−N. An address is exchanged between the temporaryregister Temp and the register A only when the borrow flag BR exists.Finally, valid data may be read according to the addressing of theregister A.

[0155] The above-described signal processing can be implemented by thefollowing program.

[0156] W←(AB+NM)/R

[0157] A←W−N

[0158] Store BR bit

[0159] if BR then

[0160] Exchange W and A

[0161] Else nop

[0162] Output A

[0163]FIG. 29 is a fragmentary block diagram of another embodiment of anencoding processing computing unit according to the present invention.The encoding processing computing unit according to the presentembodiment is also included in a co-processor included in a one-chipmicrocomputer mounted on the IC card or the like. In the presentembodiment, a selector is provided which outputs either one of a signalof a data bus and the output of the sum-of-product arithmetic unit inaccordance with an overflow flag OV stored in such an OV flag storageregister as described above.

[0164] The subtraction of W−N is carried out after the residuemultiplication. The result of its subtraction W−N and the value of Wread onto the data bus for computation are inputted to the selector.When the overflow flag OV exists, the subtraction result W−N isselected. When no overflow flag OV exists, the value of W on the databus is selected. Further, the selected value is stored in a register A,and A is outputted as finally valid data, whereby an operating currentflowing in the IC card or microcomputer in association with the storageof the subtraction of W−N and the writing of data in the register isalways developed and hence the external identification of the presenceor absence of an overflow can be rendered difficult.

[0165]FIG. 30 is a fragmentary block diagram of a further embodiment ofan encoding processing computing unit according to the presentinvention. In the present embodiment, a register X is added to theregister block in the embodiment shown in FIG. 28. The subtraction ofW−N is carried out after the completion of a residue multiplication inthe same manner as described above. When an overflow flag OV exists, theresult of computation W−N is written into a register A. When no overflowflag OV exists, the subtraction of W−N is written into a register Xdedicated for a disturbance computation. Thereafter, when no overflowflag OV exists, an address is exchanged between a temporary register (W)and the register A, and valid data is finally outputted according to anaddress for selecting the register A.

[0166] The above-described signal processing can be realized by thefollowing program.

[0167] W←(AB+MN)/R

[0168] Store OV bit

[0169] if OV then

[0170] A←W−N (normal overflow processing and writing into A)

[0171] Else

[0172] X←W−N (overflow processing for disturbance and writing into X)

[0173] Exchange W and A

[0174] Output A

[0175] Operations and effects obtained from the above embodiments are asfollows:

[0176] (1) An advantageous effect is obtained in that in an IC cardsupplied with an operating voltage by an electrical connection betweeneach of external terminals and a read/write device, and including aninput-output operation of data with an encoding process or a decodingprocess, a disturbance-aimed processing operation similar to an originalprocessing operation is included in the encoding process or decodingprocess to uniformalize timings provided to operate an internal circuitand its operating current, thereby making it possible to render decodingusing each of current waveforms difficult.

[0177] (2) In addition to the above, an advantageous effect is obtainedin that an exponential residue multiplying operation applicable to RSAcryptography or the like is included in the encoding process or thedecoding process, thereby making it possible to obtain an IC card whichhas realized the strengthening of security protection.

[0178] (3) In addition to the above, an advantageous effect is obtainedin that the exponential residue multiplying operation is carried out byan encoding processing computing unit operated in response toinstructions given from a central processing unit, thereby making itpossible to perform a high-speed data process.

[0179] (4) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit is activated in such amanner that in response to X, Y and N inputted thereto, A=A² modN and A=ABmodN are alternately computed with A=1 and B=X, and if a bit islogical 0 as viewed bit by bit from a high order of Y upon such acomputation, then the computational result of A² modN is taken in astorage circuit as valid data, whereas if it is a logical 1, then thecomputational results of A² modN and ABmodN are taken in a storagecircuit as valid data, and that when the bit is given as the logical 0,the operation of computing A=ABmodN is set as the disturbance-aimedprocessing operation, whereby decoding using each current waveform whileencoding is being carried out, can be rendered difficult.

[0180] (5) In addition to the above, an advantageous effect is obtainedin that a register block comprised of a plurality of registers each ofwhich performs the input/output of data through a read/write buffer, isused as the storage circuit to thereby control a gate circuit accordingto a logical 1 or 0 of a specific bit e_(i) of the Y, and control thetransmission of a write strobe signal supplied to a predeterminedregister, thereby allowing the predetermined register to store onlyvalid data of the computational result through the read/write buffer,whereby decoding using each current waveform while encoding is beingcarried out, can be made difficult.

[0181] (6) In addition to the above, an advantageous effect is obtainedin that a register block comprised of a plurality of registers each ofwhich performs the input/output of data through a read/write buffer, isused as the storage circuit to thereby control a gate circuit accordingto a logical 1 or 0 of a specific bit e_(i) of the Y, and control thetransmission of a write strobe signal supplied to the read/write buffer,thereby allowing the predetermined register to store only valid data ofthe computational result through the read/write buffer, whereby decodingusing each current waveform while encoding is being carried out, can berendered difficult.

[0182] (7) In addition to the above, an advantageous effect is obtainedin that a register block comprising a plurality of registers each ofwhich performs the input/output of data through a read/write buffer, anda disturbance register, is used as the storage circuit, a selector isprovided between the read/write buffer and the disturbance register andplural registers so as to be controlled according to a logical 1 or 0 ofa specific bit ei of the Y, thereby allowing a predetermined register tostore valid data of a computational result written into the read/writebuffer and allowing the disturbance register to store invalid data,whereby decoding using each current waveform while encoding is beingcarried out, can be rendered more difficult.

[0183] (8) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit is activated in such amanner that in response to X, Y and N inputted thereto, A=A modN andA=ABmodN are alternately computed with A=1 and B=X, and if a bit islogical 0 as viewed bit by bit from a high order of Y upon such acomputation, then the computational result of A² modN is taken in astorage circuit as valid data with its output timing, whereas if it is alogical 1, then the computational results of A² modN and ABmodN aretaken in a storage circuit as valid data with its output timing, and theencoding processing computing unit continues the operation of A=A² modNeven during a period from the output of the computational result of A=A²modN to the commencement of the computation of A=ABmodN, and continuesthe operation of A=ABmodN even during a period from the output of thecomputational result of A=ABmodN to the commencement of the computationof A² modN corresponding to the next bit inclusive of a changedetermining process of each bit of the Y, whereby decoding using eachcurrent waveform while encoding is being carried out, can be made moredifficult.

[0184] (9) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit is activated in such amanner that in response to X, Y and N inputted thereto, A=A² modN andA=ABmodN are computed and overflow-computed with A=1 and B=X, and if abit is logical 0 as viewed bit by bit from a high order of Y upon suchcomputations, then the computational result of A² modN is taken in astorage circuit as valid data, whereas if it is a logical 1, then thecomputational results of A² modN and ABmodN are taken in a storagecircuit as valid data, and that a computing operation of A=ABmodN at thelogical 0 and an overflow computation unnecessary for each computingoperation are defined as the disturbance-aimed processing operations,whereby decoding using each current waveform while encoding is beingcarried out, can be rendered more difficult.

[0185] (10) An advantageous effect is obtained in that in an IC cardwhich is supplied with an operating voltage by an electrical connectionbetween each of external terminals and a read/write device, and whichperforms the input/output of data with an encoding process or a decodingprocess, a disturbance-aimed computation is included in the encodingprocess or decoding process to allow timings provided to operate aninternal circuit and its operating current to have irregularities,thereby making it possible to render decoding using each of currentwaveforms more difficult.

[0186] (11) An advantageous effect is obtained in that in an IC cardwhich is supplied with an operating voltage by an electrical connectionbetween each of external terminals and a read/write device, and whichperforms the input/output of data with an encoding process or a decodingprocess, disturbance-aimed cycles are included in intervals forrespective computations in the encoding process or decoding process toallow timings provided to operate an internal circuit and its operatingcurrent to have irregularities, whereby decoding using each currentwaveform while encoding is being carried out, can be made moredifficult.

[0187] (12) An advantageous effect is obtained in that in amicrocomputer having a module configuration including an input-outputoperation of data with an encoding process or a decoding process, adisturbance-aimed processing operation is included in the encodingprocess or decoding process to uniformalize timings provided to operatean internal circuit and its operating current, whereby decoding usingeach current waveform with respect to the moduled microcomputer can bemade difficult.

[0188] (13) In addition to the above, an advantageous effect is obtainedin that the module configuration of the microcomputer is formed on onesemiconductor substrate, thereby making it possible to prevent evendirect decoding of programs or data or the like other than each currentwaveform while a size reduction thereof is being achieved.

[0189] (14) In addition to the above, an advantageous effect is obtainedin that the encoding process or decoding process of the microcomputerincludes an exponential residue multiplying operation applicable to RSAcryptography or the like, and the exponential residue multiplyingoperation is executed by an encoding processing computing unit operatedin response to instructions given from a central processing unit,whereby a high-speed encoding processing operation can be carried out.

[0190] (15) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit of the microcomputer isactivated in such a manner that in response to X, Y and N inputtedthereto, A=A² modN and A=ABmodN are computed with A=1 and B=X, and if abit is logical 0 as viewed bit by bit from a high order of Y upon such acomputation, then the computational result of A² modN is taken in astorage circuit as valid data, whereas if it is a logical 1, then thecomputational results of A² modN and ABmodN are taken in a storagecircuit as valid data, and that when the bit is given as the logical 0,the operation of computing A=ABmodN is set as the disturbance-aimedprocessing operation, whereby decoding using each current waveform whileencoding is being carried out, can be rendered difficult.

[0191] (16) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit of the microcomputer isactivated in such a manner that in response to X, Y and N inputtedthereto, A=A² modN and A=ABmodN are computed with A=1 and B=X, and if abit is logical 0 as viewed bit by bit from a high order of Y upon such acomputation, then the computational result of A² modN is taken in astorage circuit as valid data with its output timing, whereas if it is alogical 1, then the computational results of A² modN and ABmodN aretaken in a storage circuit as valid data with its output timing, and theencoding processing computing unit continues the operation of A=A² modNeven during a period from the output of the computational result of A=A²modN to the commencement of the computation of A=ABmodN, and continuesthe operation of A=ABmodN even during a period from the output of thecomputational result of A=ABmodN to the commencement of the computationof A² modN corresponding to the next bit inclusive of a changedetermining process of each bit of the Y, whereby decoding using eachcurrent waveform while encoding is being carried out, can be madedifficult.

[0192] (17) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit of the microcomputer isactivated in such a manner that in response to X, Y and N inputtedthereto, A=A² modN and A=ABmodN are computed and overflow-computed withA=1 and B=X, and if a bit is logical 0 as viewed bit by bit from a highorder of Y upon such computations, then the computational result of A²modN is taken in a storage circuit as valid data, whereas if it is alogical 1, then the computational results of A² modN and ABmodN aretaken in a storage circuit as valid data, and that a computing operationof A=ABmodN at the logical 0 and an overflow computation unnecessary foreach computing operation are defined as the disturbance-aimed processingoperations, whereby decoding using each current waveform while encodingis being carried out, can be rendered difficult.

[0193] (18) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit computes A=A²R⁻¹modN andA=ABR⁻¹modN according to the value of each bit of Y with A=1 and B=X inresponse to X, Y and N inputted thereto, and performs a normal operationfor performing the subtraction W−N of N from the computational result Wwhen an overflow occurs in each computational result, and adisturbance-aimed operation for generating invalid data, based on acomputation corresponding to the subtraction W−N even when no overflowoccurs in each individual computational results, thereby outputtingvalid data according to the presence or absence of the overflow, wherebydecoding using each current waveform can be rendered difficult while theencoding processing computing unit is being simplified and speeded up.

[0194] (19) In addition to the above, an advantageous effect is obtainedin that the computational result W of A²R⁻¹modN or ABR⁻¹modN is storedin a first storage circuit, the presence or absence of an overflow flagOV of an arithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, the result of computation thereofis stored in the first storage circuit when the overflow flag OV exists,the result of computation thereof is stored in a second storage circuitdifferent from the first storage circuit as the disturbance-aimedoperation when no overflow flag OV exists, and the computational resultof the first storage circuit is outputted as valid data, wherebydecoding using each current waveform can be made difficult while thesimplification and speeding up of the encoding processing computing unitare being carried out.

[0195] (20) In addition to the above, an advantageous effect is obtainedin that the computational result W of A²R⁻¹modN or ABR⁻¹modN is storedin a first storage circuit, the presence or absence of an overflow flagOV of an arithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and the computational result W−Nis selected by a selector when the overflow flag OV exists, whereas whenno overflow flag OV exists, the computational result W of the firststorage circuit is selected by the selector and stored in a secondstorage circuit, whereby decoding using each current waveform can berendered difficult while the simplification and speeding up of theencoding processing computing unit is being carried out.

[0196] (21) In addition to the above, an advantageous effect is obtainedin that the computational result W of A²R-¹modN or ABR⁻¹modN is storedin a first storage circuit, the presence or absence of an overflow flagOV of an arithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and when the overflow flag OVexists, the subtraction W−N is stored in a second storage circuit, whenno overflow flag OV exists, the subtraction W−N is stored in a thirdstorage circuit, when the overflow flag OV exists, the data stored inthe second storage circuit is outputted as valid data, and when nooverflow flag OV exists, the data stored in the first storage circuit isoutputted as valid data, whereby decoding using each current waveformcan be rendered difficult while the simplification and speeding up ofthe encoding processing computing unit is being carried out.

[0197] (22) In addition to the above, an advantageous effect is obtainedin that the computational result W of A2R⁻¹modN or ABR⁻¹modN is storedin a first storage circuit, the presence or absence of an overflow flagOV of an arithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is stored ina second storage circuit after the residue multiplication, when nooverflow flag OV exists, the least significant addresses for selectingthe first storage circuit and the second storage circuit are reversedand the first storage circuit is selected according to the address forselecting the second storage circuit to output the computational resultas valid data, and when the overflow flag OV exists, the leastsignificant addresses for selecting the first storage circuit and thesecond storage circuit are held as they are and the computational resultof the second storage circuit is outputted as valid data, wherebydecoding using each current waveform can be rendered difficult while thesimplification and speeding up of write logic into a register are beingcarried out in addition to the simplification of the encoding processingcomputing unit.

[0198] (23) In addition to the above, an advantageous effect is obtainedin that the computational result W of A²R−¹modN or ABR⁻¹modN is storedin a first storage circuit, the presence or absence of an overflow flagOV of an arithmetic unit is stored, addresses for the first storagecircuit and the second storage circuit are exchanged after the residuemultiplication, the subtraction W−N of N from a computational result Wselected according to an address for selecting the second storagecircuit is performed, and the subtraction result W−N is stored in thesecond storage circuit selected according to an address for selectingthe first storage circuit, and only when the overflow flag OV exists,the addresses are exchanged again and data stored in the first or secondstorage circuit selected according to the address for selecting thesecond storage circuit is outputted as valid data, whereby decodingusing each current waveform can be rendered difficult while thesimplification and speeding up of write logic into a register are beingcarried out in addition to the simplification of the encoding processingcomputing unit.

[0199] (24) In addition to the above, an advantageous effect is obtainedin that the computational result W of A₂R⁻¹ or ABR⁻¹is stored in a firststorage circuit, the subtraction W−N of N from the computational resultW of the first storage circuit is carried out after the residuemultiplication and stored in a second storage circuit, a borrow flag BRof an arithmetic unit at the subtraction of W−N is stored, and when theborrow flag BR exists, the least significant addresses for selecting thefirst storage circuit and the second storage circuit are reversed andthe computational result W of the first storage circuit is outputtedaccording to an address for selecting the second storage circuit,whereas when no borrow flag BR exists, the least significant addressesfor selecting the first storage circuit and the second storage circuitare held as they are and the computational result W−N of the secondstorage circuit is outputted according to the address for selecting thesecond storage circuit, whereby decoding using each current waveform canbe rendered difficult while the simplification and speeding up-of writelogic into a register are being carried out in addition to thesimplification of the encoding processing computing unit.

[0200] (25) In addition to the above, an advantageous effect is obtainedin that the encoding processing computing unit of the microcomputercomputes A=A²R⁻¹modN and A=ABR⁻¹modN according to the value of each bitof Y with A=1 and B=X in response to X, Y and N inputted thereto, andperforms a normal operation for performing the subtraction W−N of N fromthe computational result W when an overflow occurs in each computationalresult, and a disturbance-aimed operation for generating invalid data,based on a computation corresponding to the subtraction W−N even when nooverflow occurs in each individual computational results, therebyoutputting valid data according to the presence or absence of theoverflow, whereby decoding using each current waveform can be rendereddifficult while the simplification and speeding up of write logic into aregister are being carried out in addition to the simplification of theencoding processing computing unit.

[0201] (26) In addition to the above, an advantageous effect is obtainedin that in the encoding processing computing unit of the microcomputer,the computational result W of A²R⁻¹modN or ABR⁻¹modN is stored in afirst storage circuit, the presence or absence of an overflow flag OVfrom an arithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, the result of computation thereofis stored in the first storage circuit when the overflow flag OV exists,the result of computation thereof is written into a second storagecircuit different from the first storage circuit as the confusion-aimedoperation when no overflow flag OV exists, and the computational resultof the first storage circuit is outputted as valid data, wherebydecoding using each current waveform can be made difficult while thesimplification and speeding up of the encoding processing computing unitare being carried out.

[0202] (27) In addition to the above, an advantageous effect is obtainedin that in the encoding processing computing unit of the microcomputer,the computational result W of A²R⁻¹modN or ABR⁻¹modN is stored in afirst storage circuit, the presence or absence of an overflow flag OV ofan arithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and the computational result W−Nis selected by a selector when the overflow flag OV exists, whereas whenno overflow flag OV exists, the computational result W of the firststorage circuit is selected by the selector and stored in a secondstorage circuit, and the computational result W is outputted as validdata, whereby decoding using each current waveform can be rendereddifficult while the simplification and speeding up of the encodingprocessing computing unit is being carried out.

[0203] (28) In addition to the above, an advantageous effect is obtainedin that in the encoding processing computing unit of the microcomputer,the computational result W of A²R⁻¹modN or ABR⁻¹modN is stored in afirst storage circuit, the presence or absence of an overflow flag OV ofan arithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and when the overflow flag OVexists, the subtraction result W−N is stored in a second storagecircuit, when no overflow flag OV exists, the subtraction result W−N isstored in a third storage circuit, when the overflow flag OV exists, thedata stored in the second storage circuit is outputted as valid data,and when no overflow flag OV exists, the data stored in the firststorage circuit is outputted as valid data, whereby decoding using eachcurrent waveform can be rendered difficult while the simplification andspeeding up of the encoding processing computing unit is being carriedout.

[0204] (29) In addition to the above, an advantageous effect is obtainedin that in the encoding processing computing unit of the microcomputer,the computational result W of A²R⁻¹modN or ABR⁻¹modN is stored in afirst storage circuit, the presence or absence of an overflow flag OV ofan arithmetic unit is stored, the subtraction result W−N of N from thecomputational result W stored in the first storage circuit is stored ina second storage circuit after the residue multiplication, when nooverflow flag OV exists, the least significant addresses for selectingthe first storage circuit and the second storage circuit are reversedand the first storage circuit is selected according to the address forselecting the second storage circuit to output the computational resultas valid data, and when the overflow flag OV exists, the leastsignificant addresses for selecting the first storage circuit and thesecond storage circuit are held as they are and the computational resultof the second storage circuit is outputted as valid data, wherebydecoding using each current waveform can be rendered difficult while thesimplification and speeding up of write logic into a register are beingcarried out in addition to the simplification of the encoding processingcomputing unit.

[0205] (30) In addition to the above, an advantageous effect is obtainedin that in the encoding processing computing unit of the microcomputer,the computational result W of A²R⁻¹modN or ABR⁻¹modN is stored in afirst storage circuit, the presence or absence of an overflow flag OV ofan arithmetic unit is stored, addresses for the first storage circuitand the second storage circuit are exchanged after the residuemultiplication, the subtraction W−N of N from a computational result Wselected according to an address for selecting the second storagecircuit is performed, and the subtraction result W−N is stored in thesecond storage circuit selected according to an address for selectingthe first storage circuit, and only when the overflow flag OV exists,the addresses are exchanged again and data stored in the first or secondstorage circuit selected according to the address for selecting thesecond storage circuit is outputted as valid data, whereby decodingusing each current waveform can be rendered difficult while thesimplification and speeding up of write logic into a register are beingcarried out in addition to the simplification of the encoding processingcomputing unit.

[0206] (31) In addition to the above, an advantageous effect is obtainedin that in the encoding processing computing unit of the microcomputer,the computational result W of A²R⁻¹modN or ABR⁻¹modN is stored in afirst storage circuit, the subtraction W−N of N from the computationalresult W of the first storage circuit is carried out after the residuemultiplication and stored in a second storage circuit, a borrow flag BRfrom an arithmetic unit at the subtraction of W−N is stored, and whenthe borrow flag BR exists, the least significant addresses for selectingthe first storage circuit and the second storage circuit are reversedand the computational result W of the first storage circuit is outputtedaccording to an address for selecting the second storage circuit,whereas when no borrow flag BR exists, the least significant addressesfor selecting the first storage circuit and the second storage circuitare held as they are and the computational result W−N of the secondstorage circuit is outputted according to the address for selecting thesecond storage circuit, whereby decoding using each current waveform canbe rendered difficult while the simplification and speeding up of writelogic into a register are being carried out in addition to thesimplification of the encoding processing computing unit.

[0207] (32) An effect is obtained in that in an IC card supplied with anoperating voltage by an electrical connection between each of externalterminals and a read/write device, and including an input-outputoperation of data with an encoding process or a decoding process basedon an encoding processing computing unit operated in response toinstructions given from a central processing unit, the encodingprocessing computing unit is provided with each of registers, whichstores data used for a computation for the encoding process or decodingprocess in plural bit units, and data necessary prior to the encodingprocess or the decoding process is taken in such a register, whereby theneed for the transfer of data in the process of a computing operationcan be eliminated, thus making it possible to neutralize or invalidateoperation analysis at each current waveform.

[0208] (33) In addition to the above, an effect is obtained in that theencoding process or decoding process includes an exponential residuemultiplying operation applicable to RSA cryptography or the like, andthe encoding processing computing unit alternately computes A=A² modNand A=ABmodN with A=1 and B=X in response to X, Y and N inputtedthereto, computes A=A² modN corresponding to plural bits as viewed byplural bits from a high order of Y upon such computation, and brings thevalue of B necessary for the computation of ABmodN from the register inassociation with combinations of the plural bits, whereby the speedingup and security of an encoding process can be realized.

[0209] (34) An effect is obtained in that in an IC card supplied with anoperating voltage by an electrical connection between each of externalterminals and a read/write device, and including an input-outputoperation of data with an encoding process or a decoding process basedon an encoding processing computing unit operated in response toinstructions given from a central processing unit, the encodingprocessing computing unit is provided with a signal path for capturingdata used for the next computation from a storage circuit concurrentlywith a computing operation for the encoding process or decoding process,whereby the computing operation and data transfer can be carried outsimultaneously and hence an attack using each current waveform can beinvalidated while the register is being simplified.

[0210] (35) In addition to the above, an effect is obtained in that theencoding process or decoding process includes an exponential residuemultiplying operation applicable to RSA cryptography or the like, andthe encoding processing computing unit alternately computes A=A² modNand A=ABmodN with A=1 and B=X in response to X, Y and N inputtedthereto, computes A=A² modN corresponding to plural bits as viewed byplural bits from a high order of Y upon such computation, and brings thevalue of B necessary for the computation of ABmodN corresponding tocombinations of the plural bits from the storage circuit concurrentlywith such computation, whereby the speeding up and security of anencoding process can be realized.

[0211] (36) An effect is obtained in that in an IC card, which issupplied with an operating voltage by an electrical connection betweeneach of external terminals and a read/write device, in which a centralprocessing unit, a storage circuit, an encoding processing computingunit and a random number generator are connected to a common addressbus, and which includes an input-output operation of data with anencoding process or a decoding process based on the encoding processingcomputing unit and the storage circuit operated in response toinstructions given from the central processing unit, data for theencoding process or decoding process, which is supplied from the storagecircuit to the encoding processing computing unit is data-transferred tothe encoding processing computing unit based on an address signal formedbased on a leading address supplied to an address generating circuitbuilt in the storage circuit from the central processing unit, and eachof random numbers produced by the random number generator is transmittedto an address bus commonly connected with the central processing unit,storage circuit and encoding processing computing unit as a pseudoaddress signal in association with the data transfer, whereby a currentwaveform about data transferred based on the pseudo address signal canbe disturbed, thus making it possible to invalidate an attack using eachcurrent waveform while the simplification of a register is being carriedout.

[0212] (37) In addition to the above, an effect is obtained in that theencoding process or decoding process includes an exponential residuemultiplying operation applicable to RSA cryptography or the like, andthe encoding processing computing unit alternately computes A=A² modNand A=ABmodN with A=1 and B=X in response to X, Y and N inputtedthereto, computes A=A² modN corresponding to plural bits as viewed byplural bits from a high order of Y upon such computation, and brings thevalue of B necessary for the computation of ABmodN from the storagecircuit in association with combinations of the plural bits, whereby thespeeding up and security of an encoding process can be realized.

[0213] (38) An effect is obtained in that in an IC card, which issupplied with an operating voltage by an electrical connection betweeneach of external terminals and a read/write device, in which a centralprocessing unit, a storage circuit, an encoding processing computingunit and a random number generator are connected to a common addressbus, and which includes an input-output operation of data with anencoding process or a decoding process based on the encoding processingcomputing unit and the storage circuit operated in response toinstructions given from the central processing unit, an encoded addresssignal formed by the central processing unit through the use of each ofrandom numbers produced from the random number generator is supplied tothe storage circuit, which in turn decodes the address signal by usingthe random number to generate a leading address, thereby reading datafor the encoding process or decoding process, followed by transfer tothe encoding processing computing unit, and each of random numbersproduced by the random number generator is transmitted to the addressbus commonly connected with the central processing unit, storage circuitand encoding processing computing unit as a pseudo address signal inassociation with the data transfer, whereby decoding of the addresssignal sent to the storage circuit can be rendered difficult and acurrent waveform about data transferred based on the pseudo addresssignal can be disturbed, thus making it possible to invalidate an attackusing each current waveform while the simplification of a register isbeing carried out.

[0214] (39) In addition to the above, an effect is obtained in that theencoding process or decoding process includes an exponential residuemultiplying operation applicable to RSA cryptography or the like, andthe encoding processing computing unit alternately computes A=A² modNand A=ABmodN with A=1 and B=X in response to X, Y and N inputtedthereto, computes A=A² modN corresponding to plural bits as viewed byplural bits from a high order of Y upon such computation, and brings thevalue of B necessary for the computation of ABmodN in association withcombinations of the plural bits, whereby the speeding up and security ofan encoding process can be realized.

[0215] (40) An effect is obtained in that in a microcomputer having amodule configuration including an input-output operation of data with anencoding process or a decoding process based on an encoding processingcomputing unit operated in response to instructions given from a centralprocessing unit, the encoding processing computing unit is provided witheach of registers, which stores data used for a computation for theencoding process or decoding process in plural bit units, and datanecessary prior to the encoding process or the decoding process isstored in the register, whereby the need for the transfer of data in theprocess of a computing operation can be eliminated, thus making itpossible to neutralize or invalidate an attack using each currentwaveform.

[0216] (41) In addition to the above, an effect is obtained in that eachcircuit referred to above is formed on one semiconductor substrate,thereby making it possible to realize the strengthening of securitywhile a reduction in module is being executed.

[0217] (42) An effect is obtained in that in a microcomputer having amodule configuration including an input-output operation of data with anencoding process or a decoding process based on an encoding processingcomputing unit operated in response to instructions given from a centralprocessing unit, the encoding processing computing unit is provided witha signal path for capturing data used for the next computation from astorage circuit concurrently with a computing operation for the encodingprocess or decoding process, whereby the computing operation and datatransfer can be carried out simultaneously and hence an attack usingeach current waveform can be invalidated while the register is beingsimplified.

[0218] (43) An effect is obtained in that in a microcomputer having amodule configuration in which a central processing unit, a storagecircuit, an encoding processing computing unit and a random numbergenerator are connected to a common address bus, and which includes aninput-output operation of data with an encoding process or a decodingprocess based on the encoding processing computing unit and the storagecircuit operated in response to instructions given from the centralprocessing unit, a leading address for data used for the encodingprocess or decoding process is supplied from the central processing unitto the storage circuit, which reads data according to an address signalformed by an address generating circuit built therein, followed bydata-transfer to the encoding processing computing unit, and each ofrandom numbers produced by the random number generator is transmitted tothe address bus commonly connected with the central processing unit,storage circuit and encoding processing computing unit as a pseudoaddress signal in association with the data transfer, whereby a currentwaveform about data transferred based on the pseudo address signal canbe disturbed, thereby making it possible to invalidate an attack usingeach current waveform while the simplification of each circuit is beingcarried out.

[0219] (44) An effect is obtained in that in a microcomputer having amodule configuration in which a central processing unit, a storagecircuit, an encoding processing computing unit and a random numbergenerator are connected to a common address bus, and which includes aninput-output operation of data with an encoding process or a decodingprocess based on the encoding processing computing unit and the storagecircuit operated in response to instructions given from the centralprocessing unit, the central processing unit encrypts or encodes aleading address of data for the encoding process or decoding process byusing each of random numbers generated by the random number generatorand supplies the same to the storage circuit, which decodes the addresssignal by using the random number to generate a leading address, therebyreading data, based on an address signal formed based on the leadingaddress, followed by transfer to the encoding processing computing unit,and each of random numbers produced by the random number generator istransmitted to the address bus commonly connected with the centralprocessing unit, storage circuit and encoding processing computing unitas a pseudo address signal in association with the data transfer,whereby a current waveform about data transferred based on the pseudoaddress signal can be disturbed while decoding of the address signalsent to the storage circuit is being made difficult, thereby making itpossible to invalidate an attack using each current waveform while thesimplification of each circuit is being carried out.

[0220] While the invention made by the present inventors has beendescribed above specifically by the embodiments, the invention of thepresent application is not limited to the embodiments. It is needless tosay that various changes can be made thereto within the scope notdeparting from the substance thereof. For example, an IC card may be oneequipped with a plurality of semiconductor integrated circuit devices inaddition to one equipped with one semiconductor integrated circuit. Amicrocomputer may be one wherein a CPU and its peripheral circuits aremade up of plural chips and mounted on one module substrate.

[0221] In addition to the exponential residue multiplying method ofperforming the encoding process, a computing process can be widely usedin, for example, a case in which the following computing process isselectively added in association with the presence or absence of anoverflow at a computing process or computing operation having anoperation or computation A and an operation or computation B asindicated by a flowchart shown in FIG. 25 and having a branch as towhether the operation B should be done according to the result of theoperation A. That is, if such a computing process as to execute theoperation B after the operation A and invalidate, if the operation B isfound to be unnecessary from the result of the operation A, the resultof operation thereof is carried out, then this would be useful as anoperation analytical countermeasure against data processing which needsa secret operation other than the encoding process.

[0222] As the microcomputer, any type may be used if the input/output ofdata is performed according to a data procedure based on a dataprocessing device inclusive of the data processing device and a ROM inwhich the data procedure has been written. The present invention can bewidely applied to, for example, various microcomputers requiringsecurity as in one-chip microcomputer or the like for a game or the likein addition to the above-described IC card chip. Further, the presentinvention can be widely used in various IC card and microcomputers whichneed security.

[0223] Effects obtained by typical ones of the inventions disclosed inthe present application will be described in brief as follows: In an ICcard supplied with an operating voltage by an electrical connectionbetween each of external terminals and a read/write device, andincluding an input-output operation of data with an encoding process ora decoding process, a disturbance-aimed processing operation is includedin the encoding process or decoding process to uniformalize timingsprovided to operate an internal circuit and its operating current,whereby decoding using each of current waveforms can be made difficult.

[0224] In a microcomputer having a module configuration including aninput-output operation of data with an encoding process or a decodingprocess, a disturbance-aimed processing operation is included in theencoding process or decoding process to uniformalize timings provided tooperate an internal circuit and its operating current, whereby decodingusing each current waveform with respect to the moduled microcomputercan be made difficult.

[0225] Effects obtained by typical ones of the inventions disclosed inthe present application will be described in brief as follows: In an ICcard supplied with an operating voltage by an electrical connectionbetween each of external terminals and a read/write device, andincluding an input-output operation of data with an encoding process ora decoding process based on an encoding processing computing unitoperated in response to instructions issued from a central processingunit, the encoding processing computing unit is provided with each ofregisters, which stores data used for a computation for the encodingprocess or decoding process in plural bit units, and data necessaryprior to the encoding process or the decoding process is taken in theregister, whereby the need for the transfer of data in the process of acomputing operation can be eliminated, thus making it possible toneutralize or invalidate an attack using each current waveform.

[0226] In a microcomputer having a module configuration including aninput-output operation of data with an encoding process or a decodingprocess based on an encoding processing computing unit operated inresponse to instructions given from a central processing unit, theencoding processing computing unit is provided with each of registers,which stores data used for a computation for the encoding process ordecoding process in plural bit units, and data necessary prior to theencoding process or the decoding process is stored in the register,whereby the need for the transfer of data in the process of a computingoperation can be eliminated, thereby making it possible to invalidate anattack using each current waveform.

What is claimed is:
 1. An IC card supplied with an operating voltage byan electrical connection between each of external terminals and aread/write device, and including an input-output operation of data withan encoding process or a decoding process, wherein a first processingoperation is included in the encoding process or decoding process touniformalize timings provided to operate an internal circuit and anoperating current thereof.
 2. The IC card according to claim 2 , whereinthe encoding process or decoding process includes an exponential residuemultiplying operation applicable to RSA cryptography or the like.
 3. TheIC card according to claim 1 , wherein the exponential residuemultiplying operation is carried out by an encoding processing computingunit operated in response to instructions given from a centralprocessing unit.
 4. The IC card according to claim 3 , wherein theencoding processing computing unit alternately computes A=A² modN andA=ABmodN with A=1 and B=X in response to X, Y and N inputted thereto,and allows a storage circuit to capture the computational result of A²modN as valid data if a bit is logical 0 as viewed bit by bit from ahigh order of Y upon such a computation, and allows a storage circuit tocapture the computational results of A² modN and ABmodN as valid data ifthe bit is a logical 1, and when the bit is given as the logical 0, theoperation of computing A=ABmodN is set as the first processingoperation.
 5. The IC card according to claim 4 , wherein said storagecircuit is a register block comprising a read/write buffer and aplurality of registers in which the input/output of data is done throughthe read/write buffer, and said computational result controls a gatecircuit according to a logical 1 or 0 of a specific bit e_(i) of the Y,and controls the transmission of a write strobe signal supplied to apredetermined register, thereby allowing the predetermined register tostore only valid data through the read/write buffer.
 6. The IC cardaccording to claim 4 , wherein said storage circuit is a register blockcomprising a read/write buffer and a plurality of registers each ofwhich performs the input/output of data through the read/write buffer,and said computational result controls a gate circuit according to alogical 1 or 0 of a specific bit e_(i) of the Y, and controls thetransmission of a write strobe signal supplied to the read/write buffer,thereby allowing the predetermined register to store only valid datathrough the read/write buffer.
 7. The IC card according to claim 4 ,wherein said storage circuit is a register block comprising a read/writebuffer, a plurality of registers each of which performs the input/outputof data through the read/write buffer, and a disturbance register, andsaid computation result controls a selector provided between saidread/write buffer and said disturbance register and plural registersaccording to a logical 1 or 0 of a specific bit e_(i) of the Y, therebyallowing a predetermined register to store valid data of thecomputational result written into the read/write buffer and allowing thedisturbance register to store invalid data.
 8. The IC card according toclaim 3 , wherein said encoding processing computing unit alternatelycomputes A=A2 modN and A=ABmodN with A=1 and B=X in response to X, Y andN inputted thereto, and allows a storage circuit to capture thecomputational result of A² modN as valid data with its output timing ifa bit is logical 0 as viewed bit by bit from a high order of Y upon sucha computation, and allows a storage circuit to capture the computationalresults of A² modN and ABmodN as valid data with its output timing ifthe bit is a logical 1, and said encoding processing computing unitcontinues the operation of A=A² modN even during a period from theoutput of the computational result of A=A² modN to the commencement ofthe computation of A=ABmodN, and continue the operation of A=ABmodN evenduring a period from the output of the computational result of A=ABmodNto the commencement of the computation of A² modN corresponding to thenext bit inclusive of a change determining process of each bit of the Y.9. The IC card according to claim 3 , wherein said encoding processingcomputing unit computes and overflow-computes A=A² modN and A=ABmodNwith A=1 and B=X in response to X, Y and N inputted thereto, and allowsa storage circuit to capture the computational result of A² modN asvalid data if a bit is logical 0 as viewed bit by bit from a high orderof Y upon such computations, and allows a storage circuit to capture thecomputational results of A² modN and ABmodN as valid data if the bit isa logical 1, and a computing operation of A=ABmodN at the logical 0 andan overflow computation unnecessary for each computing operation aredefined as the first processing operations.
 10. An IC card which issupplied with an operating voltage by an electrical connection betweeneach of external terminals and a read/write device, and which performsthe input/output of data with an encoding process or a decoding process,wherein said encoding process or said decoding process includes a firstcomputation to allow timings provided to operate an internal circuit andan operating current thereof to have irregularities.
 11. An IC cardwhich is supplied with an operating voltage by an electrical connectionbetween each of external terminals and a read/write device, and whichperforms the input/output of data with an encoding process or a decodingprocess, wherein first cycles are included in intervals for respectivecomputations in the encoding process or decoding process to allowtimings provided to operate an internal circuit and an operating currentthereof to have irregularities.
 12. A microcomputer having a moduleconfiguration including an input-output operation of data with anencoding process or a decoding process, wherein said encoding process orsaid decoding process includes a first processing operation touniformalize timings provided to operate an internal circuit and anoperating current thereof.
 13. The microcomputer according to claim 12 ,wherein said module configuration is formed on one semiconductorsubstrate for the implementation thereof.
 14. The microcomputeraccording to claim 13 , wherein said encoding process or decodingprocess includes an exponential residue multiplying operation applicableto RSA cryptography or the like, and said exponential residuemultiplying operation is executed by an encoding processing computingunit operated in response to instructions given from a centralprocessing unit.
 15. The microcomputer according to claim 14 , whereinsaid encoding processing computing unit alternately computes A=A² modNand A=ABmodN with A=1 and B=X in response to X, Y and N inputtedthereto, and allows a storage circuit to capture the computationalresult of A² modN as valid data if a bit is logical 0 as viewed bit bybit from a high order of Y upon such a computation, and allows a storagecircuit to capture the computational results of A² modN and ABmodN asvalid data if the bit is a logical 1, and when the bit is given as thelogical 0, the operation of computing A=ABmodN is set as the firstprocessing operation.
 16. The microcomputer according to claim 14 ,wherein said encoding processing computing unit alternately computesA=A² modN and A=ABmodN with A=1 and B=X in response to X, Y and Ninputted thereto, and allows a storage circuit to capture thecomputational result of A² modN as valid data with its output timing ifa bit is logical 0 as viewed bit by bit from a high order of Y upon sucha computation, and allows a storage circuit to capture the computationalresults of A² modN and ABmodN as valid data with its output timing ifthe bit is a logical 1, and said encoding processing computing unitcontinues the operation of A=A² modN even during a period from theoutput of the computational result of A=A² modN to the commencement ofthe computation of A=ABmodN, and continue the operation of A=ABmodN evenduring a period from the output of the computational result of A=ABmodNto the commencement of the computation of A² modN corresponding to thenext bit inclusive of a change determining process of each bit of the Y.17. The microcomputer according to claim 14 , wherein said encodingprocessing computing unit computes and overflow-computes A=A²modN andA=ABmodN with A=1 and B=X in response to X, Y and N inputted thereto,and allows a storage circuit to capture the computational result of A²modN as valid data if a bit is logical 0 as viewed bit by bit from ahigh order of Y upon such computations, and allows a storage circuit tocapture the computational results of A² modN and ABmodN as valid data ifthe bit is a logical 1, and a computing operation of A=ABmodN at thelogical 0 and an overflow computation unnecessary for each computingoperation are defined as the first processing operations.
 18. The ICcard according to claim 3 , wherein said encoding processing computingunit computes A=A²R⁻¹modN and A=ABR⁻¹modN according to the value of eachbit of Y with A=1 and B=X in response to X, Y and N inputted thereto,and performs a normal operation for performing the subtraction W−N of Nfrom the computational result W when an overflow occurs ih eachcomputational result, and a first operation for generating invalid data,based on a computation corresponding to the subtraction W−N even when nooverflow occurs in each individual computational results, therebyoutputting valid data according to the presence or absence of theoverflow.
 19. The IC card according to claim 18 , wherein thecomputational result W of A²R⁻¹modN or ABR⁻¹modN is stored in a firststorage circuit, the presence or absence of an overflow flag OV of anarithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and when the overflow flag OVexits, the result of computation thereof is stored in the first storagecircuit, whereas when the overflow flag OV is absent, the result ofcomputation thereof is written in a second storage circuit differentfrom the first storage circuit as the disturbance-aimed operation, andthe computational result of the first storage circuit is outputted asvalid data.
 20. The IC card according to claim 18 , wherein thecomputational result W of A²R⁻¹modN or ABR⁻¹modN is stored in a firststorage circuit, the presence or absence of an overflow flag OV of anarithmetic unit is stored, and the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and the computational result W−Nis selected by a selector when the overflow flag OV exists, whereas whenthe overflow flag OV is absent, the computational result W of the firststorage circuit is selected by the selector and stored in a secondstorage circuit, and said computational result W is outputted as validdata.
 21. The IC card according to claim 18 , wherein the computationalresult W of A²R⁻¹modN or ABR⁻¹modN is stored in a first storage circuit,the presence or absence of an overflow flag OV of an arithmetic unit isstored, the subtraction W−N of N from the computational result W storedin the first storage circuit is carried out after the residuemultiplication, and when the overflow flag OV exists, the subtractionW−N is stored in a second storage circuit, and when the overflow flag OVis absent, the subtraction W−N is stored in a third storage circuit,when the overflow flag OV exists, the data stored in the second storagecircuit is outputted as valid data, and when the overflow flag OV isabsent, the data stored in the first storage circuit is outputted asvalid data.
 22. The IC card according to claim 18 , wherein thecomputational result W of A²R⁻¹modN or ABR⁻¹modN is stored in a firststorage circuit, the presence or absence of an overflow flag OV of anarithmetic unit is stored, and the subtraction W−N of N from thecomputational result W stored in the first storage circuit is stored ina second storage circuit after the residue multiplication, and when nooverflow flag OV exists, the least significant addresses for selectingthe first storage circuit and the second storage circuit are reversedand the first storage circuit is selected according to the address forselecting the second storage circuit to output the computational resultas valid data, and when the overflow flag OV exists, the leastsignificant addresses for selecting the first storage circuit and thesecond storage circuit are held as they are and the computational resultof the second storage circuit is outputted as valid data.
 23. The ICcard according to claim 18 , wherein the computational result W ofA²R⁻¹modN or ABR⁻¹modN is stored in a first storage circuit, thepresence or absence of an overflow flag OV of an arithmetic unit isstored, and addresses for the first storage circuit and the secondstorage circuit are exchanged after the residue multiplication, thesubtraction W−N of N from a computational result W selected according toan address for selecting the second storage circuit is performed, andthe subtraction result W−N is stored in the second storage circuitselected according to an address for selecting the first storagecircuit, and only when the overflow flag OV exists, the addresses areexchanged again and data stored in the first or second storage circuitselected according to the address for selecting the second storagecircuit is outputted as valid data.
 24. The IC card according to claim18 , wherein the computational result W of A²R⁻¹modN or ABR⁻¹modN isstored in a first storage circuit, the subtraction W−N of N from thecomputational result W of the first storage circuit is carried out afterthe residue multiplication and stored in a second storage circuit, aborrow flag BR of an arithmetic unit at the subtraction of W−N isstored, and when the borrow flag BR exists, the least significantaddresses for selecting the first storage circuit and the second storagecircuit are reversed and the computational result W of the first storagecircuit is outputted according to an address for selecting the secondstorage circuit, when the borrow flag BR is absent, the leastsignificant addresses for selecting the first storage circuit and thesecond storage circuit are held as they are and the computational resultW−N of the second storage circuit is outputted according to the addressfor selecting the second storage circuit.
 25. The microcomputeraccording to 14, wherein said encoding processing computing unitcomputes A=A²R⁻¹modN and A=ABR⁻¹modN according to the value of each bitof Y with A=1 and B=X in response to X, Y and N inputted thereto, andfurther performs a normal operation for performing the subtraction W−Nof N from the computational result W when an overflow occurs in eachcomputational result, and a first operation for generating invalid data,based on a computation corresponding to the subtraction W−N even whenthe overflow does not occur in each individual computational results,whereby valid data is outputted according to the presence or absence ofthe overflow.
 26. The microcomputer according to claim 25 , wherein thecomputational result W of A²R⁻¹modN or ABR⁻¹modN is stored in a firststorage circuit, the presence or absence of an overflow flag OV from anarithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and the result of computationthereof is stored in the first storage circuit when the overflow flag OVexists, whereas when the overflow flag OV is absent, the result ofcomputation thereof is written into a second storage circuit differentfrom the first storage circuit as the first operation, and thecomputational result of the first storage circuit is outputted as validdata.
 27. The microcomputer according to claim 25 , wherein thecomputational result W of A²R⁻¹modN or ABR⁻¹modN is stored in a firststorage circuit, the presence or absence of an overflow flag OV of anarithmetic unit is stored, the subtraction W−N of N from thecomputational result W stored in the first storage circuit is carriedout after the residue multiplication, and the computational result W−Nis selected by a selector when the overflow flag OV exists, whereas whenthe overflow flag OV is absent, the computational result W of the firststorage circuit is selected by the selector and stored in a secondstorage circuit, which in turn is outputted as valid data.
 28. Themicrocomputer according to claim 25 , wherein the computational result Wof A²R⁻¹modN or ABR⁻¹modN is stored in a first storage circuit, thepresence or absence of an overflow flag OV of an arithmetic unit isstored, the subtraction W−N of N from the computational result W storedin the first storage circuit is carried out after the residuemultiplication, and when the overflow flag OV exists, the subtractionresult W−N is stored in a second storage circuit, whereas when theoverflow flag OV is absent, the subtraction result W−N is stored in athird storage circuit, when the overflow flag OV exists, the data storedin the second storage circuit is outputted as valid data, and when theoverflow flag OV is absent, the data stored in the first storage circuitis outputted as valid data.
 29. The microcomputer according to claim 25, wherein the computational result W of A²R⁻¹modN or ABR⁻¹modN is storedin a first storage circuit, the presence or absence of an overflow flagOV of an arithmetic unit is stored, and the subtraction result W−N of Nfrom the computational result W stored in the first storage circuit isstored in a second storage circuit after the residue multiplication, andwhen the overflow flag OV is absent, the least significant addresses forselecting the first storage circuit and the second storage circuit arereversed and the first storage circuit is selected according to theaddress for selecting the second storage circuit to output thecomputational result as valid data, whereas when the overflow flag OVexists, the least significant addresses for selecting the first storagecircuit and the second storage circuit are held as they are and thecomputational result of the second storage circuit is outputted as validdata.
 30. The microcomputer according to claim 25 , wherein thecomputational result W of A²R⁻¹modN or ABR⁻¹modN is stored in a firststorage circuit, the presence or absence of an overflow flag OV of anarithmetic unit is stored, addresses for the first storage circuit andthe second storage circuit are exchanged after the residuemultiplication, the subtraction W−N of N from a computational result Wselected according to an address for selecting the second storagecircuit is performed and the subtraction result W−N is stored in thesecond storage circuit selected according to an address for selectingthe first storage circuit, and only when the overflow flag OV exists,the addresses are exchanged again and data stored in the first or secondstorage circuit selected according to the address for selecting thesecond storage circuit is outputted as valid data.
 31. The microcomputeraccording to claim 5 , wherein the computational result W of A²R⁻¹modNor ABR⁻¹modN is stored in a first storage circuit, the subtraction W−Nof N from the computational result W of the first storage circuit iscarried out after the residue multiplication and stored in a secondstorage circuit, a borrow flag BR is stored from an arithmetic unit atthe subtraction of W−N, and when the borrow flag BR exists, the leastsignificant addresses for selecting the first storage circuit and thesecond storage circuit are reversed and the computational result W ofthe first storage circuit is outputted according to an address forselecting the second storage circuit, and when the borrow flag BR isabsent, the least significant addresses for selecting the first storagecircuit and the second storage circuit are held as they are and thecomputational result W−N of the second storage circuit is outputtedaccording to the address for selecting the second storage circuit.